Mapping the DeFi crime landscape: an evidence-based picture

Abstract

Decentralized finance (DeFi) has been the target of numerous profit-driven crimes, but the prevalence and cumulative impact of these crimes have not yet been assessed. This study provides a comprehensive assessment of profit-driven crimes targeting the DeFi sector. We collected data on 1141 crime events from 2017 to 2022. Of these, 1036 were related to DeFi (the main focus of this study) and 105 to centralized finance (CeFi). The findings show that the entire cryptoasset industry has suffered a minimum loss of US$30B, with two-thirds related to CeFi and one-third to DeFi. Focusing on DeFi, a taxonomy was developed to clarify the similarities and differences among these crimes. All events were mapped onto the DeFi stack to assess the impacted technical layers, and the financial damages were quantified to gauge their scale. The results highlight that during an attack, a DeFi actor (an entity developing a DeFi technology) can serve as a direct target (due to technical vulnerabilities or exploitation of human risks), as a perpetrator (through malicious uses of contracts or market manipulations), or as an intermediary (by being imitated through, for example, phishing scams). The findings also show that DeFi actors are the first victims of crimes targeting the DeFi industry: 52% of events targeted them, primarily due to technical vulnerabilities at the protocol layer, and these events accounted for 83% of all financial damages. Alternatively, in 41% of events, DeFi actors were themselves malicious perpetrators, predominantly misusing contracts at the cryptoasset layer (e.g. rug pull scams). However, these events accounted for only 17% of all financial damages. The study offers a preliminary assessment of the size and scope of crime events within the DeFi sector and highlights the vulnerable position of DeFi actors in the ecosystem.

Introduction

The rapid growth in value of cryptoassets (CA; all digital representations of value that utilize a form of distributed ledger technology and can be transferred, stored, or traded electronically), coupled with recent developments in blockchain technologies, has provided momentum for the decentralized finance (DeFi) industry to emerge. The DeFi industry aims to provide transparent, open-source, and permissionless online financial services [1]. The term ‘DeFi’ was coined in 2018 by entrepreneurs developing the Ethereum blockchain and ‘refers to financial services that build upon the decentralized foundations of blockchain technology’ [2]. In essence, DeFi applications offer financial services such as swapping assets via decentralized exchanges (DEXs), lending and borrowing assets through lending protocols, and speculating on future prices using derivative products. Moreover, DeFi enables a novel form of software-driven financial engineering, allowing service providers to merge functions from various DeFi protocols (DPs) to introduce novel, intricate, and deeply nested financial services. For a comprehensive overview of the technical building blocks and financial functions of DeFi, readers are directed to [3].

DeFi is part of the CA industry, which also includes centralized finance (CeFi). In contrast to DeFi, CeFi allows the flexible trading of both fiat and CA through a centralized governance system [4]. Since the inception of the CA industry, government agencies have faced difficulties in developing and/or enforcing a regulatory framework surrounding the industry [1]. Moreover, the large amount of money that the industry handles, close to USD 2.3 trillion in 2021 [5], coupled with its decentralized and pseudoanonymous features, makes it an attractive setting for profit-driven crime [6–8]. Indeed, previous studies have shown that CA can serve as a means for money laundering [6,8,9] or as a means of payment for criminal activities such as extortion schemes [10–12]. Within this industry, the DeFi sector specifically has also experienced its share of criminal events. For example, there have been several accounts of developers abandoning their DeFi projects and fleeing with their investors’ money, also known as rug pull scams [13]. A vast array of techniques has also been developed to exploit blockchain technologies or smart contracts for theft purposes [14].

To date, several studies have explored specific crime types occurring in the DeFi industry [15–17] or have developed tools to detect such attacks and/or establish countermeasures [18–20]. However, there is still a need to draw a broader picture of the crime landscape beyond technical specifics and crime types. Such a picture can inform future users, investors, and policymakers about where to focus their efforts and resources to better secure this emerging sector.

This study offers a comprehensive assessment of profit-driven crimes targeting the DeFi sector. To achieve this, we collected 1141 crime events from 2017 to 2022, of which 1036 related to the DeFi industry and 105 to the CeFi industry. The first objective (Obj. 1) of the study is to develop an evidence-based taxonomy to identify the tactics and strategies used to steal money, as well as how DeFi actors are involved in crime events. In this study, DeFi actors represent any individual, group, or organization supporting the operations of DeFi services, including blockchain, fungible token (FT), nonfungible token (NFT), exchange, lending, derivative, Dapp, yield, staking, bridge, and oracle services. The second objective (Obj. 2) employs the framework developed by [3] to assess which technical layer of the tech stack is most impacted by such crime events. The third objective (Obj. 3) quantifies the financial damages associated with these crimes. In short, the first objective provides a novel aggregate view of the crime landscape beyond technical specifics or broad categorizations like ‘scam’ or ‘fraud’, while the second objective allows for a clearer understanding of where malicious activities occur within the DeFi tech stack, and the third objective determines which types of crimes are most detrimental in the industry. To meet these objectives, a set of mixed methods, from content analyses to nonparametric tests, is employed. Our findings can be summarized as follows:

• The CA industry suffered a minimum loss of $30 billion from 2017 to 2022, with two-thirds relating to CeFi and one-third to DeFi.

• During an attack, DeFi actors can serve as a direct target due to technical vulnerabilities or human risk exploitation, become perpetrators through misuse of contracts or market manipulations, or act as intermediaries by being imitated through, for example, phishing campaigns.

• DeFi actors are the first victims of crimes targeting the DeFi industry: 52% of crime events targeted them, mainly exploiting their technical vulnerabilities. These events accounted for nearly 83% of all recorded financial damages.

• A total of 41% of crime events were initiated by DeFi malicious perpetrators through misuse of contracts (e.g. rug pull scams). However, these events accounted for only 17% of all financial damages.

• The most impacted layers of the tech stack, in terms of number of crime events, were the DeFi protocol and Cryptoasset layers. The most financial damages were, however, experienced on the DeFi protocol and Interface layers.

These key insights highlight that the CeFi sector experiences larger financial losses. Also, many attacks target legitimate DeFi actors who genuinely contribute to the ecosystem. Given that the sector does not yet have a reliable safety net [3], such as a supervision authority that systematically audits DPs or state-backed deposit insurance, it is crucial to protect actors from criminal conduct or fraud. This can be done by fostering collaboration between regulators and actors to establish clear guidelines for DeFi operations. Events where DeFi actors behave maliciously are also prevalent, but result in fewer financial damages. Although these events are smaller in scale, increasing user awareness that such malicious projects exists, while providing tools that can help them assess the potential risks of investing in a project should be advocated by all stakeholders in the ecosystem. The dataset developed for this study is available online (https://zenodo.org/records/14047933) to support research reproducibility and further analysis by other researchers.

Crime in the DeFi industry: a review of the literature

Several types of crimes have been accounted for in the ecosystem, from Ponzi schemes [21–23] to oracle attacks [19,24], rug pulls [25,26], or scams [23,27]. The review below provides an aggregated overview of studies focusing on crime in the DeFi industry.

To this date, three studies have developed an aggregate analysis of crime events taking place in the DeFi ecosystem [28–30]. The author of one study [28] argued that DeFi technologies could either be a facilitating tool for cybercrime (e.g. scam or fraud) or a target of attacks. When a target for attack, another study (which analysed 20 reported vulnerability exploits) stated that DeFi actors could be victims of both protocol and market attacks [29]. Protocol attacks take advantage of a protocol implementation’s shortcomings and impacts said protocol only, while market attacks rather benefit from exploiting a protocol’s flawed business logic that can impact multiple protocols. For example, a protocol’s governance system choice could lead to a protocol attack, while manipulating an oracle could penalize multiple protocols, making it a market attack. This categorization also resembles the one developed in [30] that separates technical security from economic security, as technical exploits on DeFi actors leave no room for the underlying blockchain system, markets, or other agents to react to such exploits, while economic exploits allow a window of reaction. In fact, the outcome to a smart contract exploit attempt is dichotomic, as either a profit will instantly be made or the operation will simply not be executed, while attempting to manipulate an oracle’s or an asset’s price will typically require more steps, more capital, and will not have a guaranteed outcome [30].

Hence, the literature differentiates between technical/security attacks aiming directly at the technology and market/economic attacks, which relate to manipulating economic incentives. Beyond this categorization, scholars have conducted studies to systematize knowledge on the types of attacks taking place in the ecosystem and their related techniques [14,31–33]. These studies identify vulnerabilities on different layers of the blockchain, discuss the possible attacks to exploit them, state the consequences, and discuss defense mechanisms [14,31–33]. While they help understand how attacks work, they do not inform on the current state of the ecosystem, as they mainly rely on previous literature rather than real life cases. One exception includes a study by [34], which relied on real life events but did not elaborate on their prevalence or the extent of their financial damages. In addition, another study categorized the types of attack by blockchain layers by relying on a set of 181 reported DeFi crime events, existing literature, and audit reports [35]. While the framework presented remains very technical, the authors were able to provide insights on the ecosystem, as they found that the majority of DeFi incidents took place in late 2020 and peaked in August 2021 [35]. They also stated that the most targeted blockchain layers were the smart contract and application ones [35]. This aligns with other studies pointing out that recurring exploitations include smart contract exploits and design flaws [32,36,37], such as flash loans being used as a vehicle to significantly amplify attack profit [29,38]. In their conclusion, [35] also estimated that the DeFi industry, including users, liquidity providers, speculators, and protocol operators have suffered a loss of at least 3.24 billion USD (p.1).

Moreover, some studies account for the role of humans in technical/security attacks [14,39,40]. For example, one study proposed a taxonomy of vulnerability root causes, which included flawed smart contract programming, Ethereum’s design/implementation and human factors [14]. The authors introduced the idea that human factors, like improper configuration, can cause vulnerabilities, as it can lead to erroneous permissions for an Ethereum client. Another study highlighted that phishing attacks on team members and improper key management, such as inefficient storage methods, can lead to deployers’ private key compromission and their subsequent usage by unauthorized parties [39]. In addition, [40] discussed insider attacks, which can occur when someone with administrative privileges accesses the computer system and performs unauthorized operations [40].

DeFi users, moreover, represent another human vulnerability and several studies have investigated how DeFi users can be deceived through various fraudulent techniques, from social engineering [41,42] to phishing [43] and more [27,44]. Two studies have also examined how traditional financial market frauds, such as Ponzi schemes and pump-and-dumps, have modernized with CA: they can now be preprogrammed in smart contracts [21,45]. Additional studies have also investigated the various forms of scams taking place in the DeFi ecosystem [26,27,46]. For example, the prevalence of phishing scams was investigated by  [26], which identified 300 fake exchanges apps and 1595 scam domain. The uncovered fake applications affected a total of 38 legitimate exchanges, which included almost all major CA exchanges. Another study explained that some phishing exchanges were solely created to get users to voluntarily deposit assets, while others were created to replicate a wallet extension and steal users’ private keys [46]. Other studies also investigated imitation scams or giveaway scams [27,46], where an attacker typically imitates a celebrity on social media, claiming to giveaway CA. A study found that the average transaction value sent by users to different forms of giveaway scams ranged from USD 300 to USD 1312 [27]. While all these scams are still ongoing, recent work shows that rug pull scams, where creators flee with investors’ assets, are the latest rising fraudulent activity trend in the ecosystem, and one of the most financially damaging [25,47,48]. Specifically, one study  [47] stated that users lost about USD 2.8B when rug pulls were at their peak in 2021. Also note that trading pairs and liquidity pools are central to these rug pull scams, as removing liquidity or dumping assets is often what initiates the exit scam [48]. On the other hand, [48] explained that the contract can be malicious in itself, as deployers hide minting functions or functions to restrict investors to sell their tokens. Some authors differentiate hard rug pulls, which refers to the use of a malicious smart contract to defraud investors, and soft rug pulls, which refer to asset manipulation by the developer, like pump-and-dump [25,48].

Finally, techniques have been developed to detect various types of crime events [48–50]. For example, pump-and-dump scams were investigated by uncovering DeFi projects anomalies with machine learning [49,51]. Other studies have developed techniques to detect malicious contracts by scanning their code [48,50]. For example, by categorizing more than 20 000 tokens on the Uniswap protocol,  [50] labelled 631 tokens as nonmalicious, and 26 957 as malicious, suggesting that fraudulent tokens were more prevalent than legitimate ones in the DeFi ecosystem.

This study

Overall, to better understand crime trends in the DeFi industry, many studies either inform on the types of attack taking place in the ecosystem [14,31], explore a type of attack thoroughly [15–17] and/or develop tools to detect such attacks and establish countermeasures [18–20]. Given this review, one can see that the DeFi industry represents a hotbed for crime. To better understand crime trends in the DeFi ecosystem, categorizations have been developed, from economic/market [29,30] to technical (e.g. contract vulnerability exploitation) [35] to social attacks (e.g. scams) [41,43]. Several specific types of crimes have also been investigated [21,25].

However, as of today, there is a need to better understand crime similarities and differences targeting the DeFi industry, beyond broad categorizations and/or an exclusive focus on their technical details. Moreover, although the method used and the types of crimes are well known, what common strategies are used to steal money has yet to be uncovered and analysed. Differentiating these aspects in crime events and assessing their prevalence and level of financial damages can inform policy makers on where to mitigate financial risks. Indeed, if the most prevalent and damaging events are those where the DeFi actor is, for example, complicit to the crime, then policy makers should develop better auditing processes to verify the legitimacy of DeFi actors as well as campaigns to better inform customers. On the other hand, if DeFi actors are most often targeted by external actors, then policy makers should encourage cybersecurity investments to better protect them.

Hence, this study provides a first comprehensive assessment of profit-driven crimes targeting the DeFi sector using 1141 reported crime events from 2017 to 2022. For clarity, we use Naylor’s general theory of profit-driven crime [52,53] to define what crime events are of interest to this study. Specifically, we focus on crime events that involve the illegal redistribution of existing wealth from a victim to an offender, also known as predatory crimes [52]. We do so by relying on reported events in the media, as these crimes are typically reported by victims [52,53]. To better understand the wide array of predatory profit-driven crimes taking place in this sector, we develop an evidence-based taxonomy and identify the tactics and strategies used to steal money, as well as how DeFi actors are involved in crime events (Obj. 1). We also map which layer is most impacted by such crimes, drawing from DeFi Stack Reference Model (DSR) proposed by Auer et al. [3] (Obj. 2) and we quantify the financial damages associated with these crimes (Obj. 3).

Data and methods

Dataset creation

Initially, all crime events listed by the aggregators from 2013 to 2022 were collected [De.Fi |$N = 2699$|⁠, SlowMist |$N=907$|⁠, and CryptoSec (now ChainSec) |$N=106$|], leading to 3712 events. As event coverage greatly varies between aggregators, we used them as complementary rather then comparatively. We obtained the majority of our information from De.Fi REKT database. This aggregator was prioritized because: (1) the authors behind the database built the database with a clear objective to identify and list all crime events, (2) they converted the stolen amount in USD at the time of the recorded event, and (3) they based their conclusion on a proactive blockchain investigation approach, providing links, most of the time, towards relevant transactions and addresses as proof of work. SlowMist and CryptoSec (now ChainSec), on the other hand, are mainly news aggregators and cover the most mediatized events.

During the Fall of 2022 and early 2023, one author was tasked with creating the crime event dataset. The events were coded according to the content of the event summary provided by the aggregator, which gathered basic information, such as how the event unfolded and who was targeted. As none of the aggregators publicly disclosed a thorough method on how they collected, reported and summarized events, measures were taken to alleviate the risk of relying on false information. First, events’ occurrence and summaries’ legitimacy were verified by consulting all sources linked by aggregators. Such sources included postmortem analysis from involved DeFi actors and security firms, as well as news articles and relevant social media posts. Second, for less detailed summaries with no external links provided by the aggregators, we conducted searches on the Google search engine to find additional sources. Consulting external links from aggregators, as well as conducting manual searches, enabled us to verify the accuracy of the information and ensure a comprehensive understanding of the event. A first review of the dataset was conducted to categorize events and remove all crime events for which aggregators did not link sources, and no related sources manually could be found (⁠|$N=73$|⁠).

The dataset was reviewed by all four authors in an independent session. In this session, open discussions led to removing certain types of crime events. For instance, all crimes that were not profit-driven (⁠|$N=38$|⁠) were removed. We also removed all events that did not directly involve a DeFi actor (⁠|$N=30$|⁠), such as regular fiat currency thefts where assets were later laundered through DeFi services. In addition, all events discussing vulnerability discoveries through security teams or bug bounty programs were excluded (⁠|$N=19$|⁠), along with all attempted attacks (⁠|$N=6$|⁠). Events from which we did not have enough information to understand the actor’s involvement in the crime event were also dismissed (⁠|$N=15$|⁠).

Moreover, some DeFi scams on De.Fi REKT were listed as a warning rather than as an event report (⁠|$N = 1859$|⁠). Precisely, De.Fi REKT listed these events as scam projects as they noticed their smart contract contained malicious terms or functions that could represent a risk for investors. Since no financial losses nor crimes had yet taken place, we removed them from the dataset. Finally, we merged all duplicates between and within aggregators (⁠|$N=480$|⁠), and removed all crime events taking place prior to 2017 (⁠|$N=51$|⁠), as fewer events were listed for those earlier years, and limited information was available for such events. This resulted in a sample of 1141 reported profit-driven crime events.

Information extraction from crime events

From these 1141 crime events, we extracted the name of the DeFi actor involved in the crime event along with the date of the event and a description on the course of the event. Such descriptions, together with our review of additional sources, were used to create the taxonomy presented below. Considering the date of the event, Fig. 1 shows the number of reported crime events in our dataset per year. We can observe an increase over the years, with more than half of the events occurring in 2021 and 2022. This increase can be explained by DeFi’s rapid growth during that period. Note that in the past years, efforts have also been put in place to detect and report CA-related crimes, which might explain why more crime events have been uncovered recently.

To gather stolen amounts, we first used the information available on De.Fi’s REKT database, which reported USD amounts as the database curators conducted the conversion when reporting the crime [57]. For events retrieved solely on one of the two other aggregators, the reported amount was converted from the stolen currency to USD using CoinMarketCap’s historical data [59]. For precision purposes, we used the mean of the four USD recorded values the website provides per date (earliest data in range, lowest, highest, and last). This value was then multiplied by the initial stolen currency’s amount to obtain the stolen amount value in USD. Hence, all results below are in USD and the currency is not mentioned anymore when reporting amounts in the text. To double-check the information collected, we randomly selected 50 crime events and verified the amounts to those reported by other sources. Specifically, we searched other news articles announcing the crime event and compared the amount in news articles (e.g. CoinDesk and Crypto News) with the one announced by the aggregator. The amount in our final dataset was consistent with other sources in 94% of the time (47/50). Information on stolen amounts was available for 984 events.

Figure 1 also illustrates the total yearly financial damages reported in our dataset, showing a significant increase in 2021. In terms of descriptive statistics, the minimum stolen amount was $158 and the maximum stolen amount was a non-negligible $3.6B. The latter related to the compromission of the South African platform Africrypt [60]. On average, $29.9M was stolen per incident. The standard deviation was $207M. In at least 50% of the crime events, more than $345k was stolen. The total amount stolen across these 984 crimes was $29.5B. A summary of these statistics is presented in Appendix Table 3.

Note that throughout the first phase of the analysis, 105 crime events related to CeFi were identified in our dataset. CeFi has similarities to traditional forms of CeFi as exchanges manage CA transactions for customers. DeFi, on the other hand, enables peer-to-peer transactions without the need for a centralized exchange. Yet, comparative estimates on CeFi and DeFi are still presented in the results section to provide an idea on the scale and scope of DeFi crime events, compared to CeFi, as they are part of the same CA industry. The final dataset on crime events targeting the DeFi sector thus includes 1036 DeFi crime events, with 904 including a stolen amount.

Obj 1: taxonomy creation

The evidence-based taxonomy was created by qualitatively analysing 1036 crime events that took place between 2017 and 2022. To create a taxonomy, we took a bottom-up approach and conducted an inductive content analysis [61]. This analysis involved deriving patterns or categories from the data. We first read all crime events and described them (open coding phase). From the description, we then created categories to assess the types of crimes and the methods used to steal money. These categories were then aggregated in larger categories (abstraction phase) with the aim to group crime events together based on how the money was stolen. This led us to develop three categories: specific tactics, general tactics, and strategies.

Specific tactics referred to the technique used to realize the crime, often as reported in the literature, such as rollback attacks or Ponzi schemes. General tactics, on the other hand, focused on finding the common techniques or methods used by malicious actors to steal money, such as exploiting a contract or misappropriating funds. Such general tactics could further be aggregated in all-encompassing categories that displayed the strategy accounting for the main approach used to steal funds. This category denotes the high-level approach used in the illicit extraction of funds, such as exploiting a human risk or a technical vulnerability. Finally, based on the three previous categories, it seemed obvious that the implication of the DeFi actor in the crime event had to be differentiated. This differentiation provided a clearer understanding of their role in such events. The taxonomy is presented in the results section, along with crime prevalence in each category.

Obj 2: mapping crime events on the technical DeFi stack

To meet our second objective, we first identified the primary technical area of operation for DeFi actors within the DeFi sector. We then mapped this categorization to the DSR model proposed by Auer et al. [3] to determine where crime events had the most significant impact.

Using categorizations from crime aggregators and DeFiLlama [62]—the most extensive aggregator of DeFi actors to date—as well as information from the actors’ websites, we established 12 categories. These categories represent the primary technical areas of operation for DeFi actors: blockchain, fungible tokens, non-fungible tokens, exchanges, lending, derivatives, Dapps, yield farming, staking, bridges, oracles, and others. Figure 2 illustrates the total number of events and financial damages for each actor’s category (which is based on their main area of operation) over the years. For the detailed numbers, see Appendix Table 4. FTs, Dapps, and exchange services were most involved in crime events. However, events involving bridges or the underlying blockchain faced higher financial damages.

Next, we aligned this categorization with the DSR model. A key attribute of this framework is the ‘abstraction principle’. Each layer encompasses well-defined functions, utilizing functionality from the layer directly below and offering functionality to the one above. Since the DSR primarily represents DPs without accounting for the surrounding technical context, we augmented the model to include this aspect, situating it within a broader system environment.

Figure 3 presents the DSR model with its technical layers, embedded within a broader system environment. The System Infrastructure layer forms the foundation of the DSR model. This layer can be targeted by crime events, potentially impacting all layers above it. Built upon the SYS layer, the DSR model introduces the Distributed Ledger Technology layer, tasked with settling transactions and executing programs in a distributed system environment. The subsequent layer, Cryptoassets, signifies assets that represent transferable value within a DLT system. DeFi Protocols layer offers advanced financial services constructed on CA. Examples include DEXs that facilitate CA exchanges, Lending protocols enabling users to lend or borrow CA, and Derivative protocols that allow trading of synthetic positions mirroring the value of an underlying asset. A distinctive feature of DeFi is its ability to harness the financial functions of various DPs to introduce new financial services, termed as DeFi Protocol Composition. User Applications denote the pinnacle layer of the DSR model. Additionally, we have incorporated the Interfaces layer-commonly known as Oracles and Bridges-as a distinct orthogonal layer.

Using this model, we identified the highest and most specific layer impacted in the DeFi stack model for each crime event in our sample, based on the actor’s category. For instance, a crime event associated with a DeFi lending protocol would be allocated to the DP layer. Considering the previously mentioned ‘abstraction principle’, such an event would also encompass CA, as DeFi lending protocols enable the lending and borrowing of CA.

Obj 3: measuring and comparing financial damages

To achieve the third and final objective, financial damages were measured and compared according to the taxonomy and tech stack presented before. Due to the highly skewed distributions, nonparametric tests were used, including Mann–Whitney U, Kruskall–Wallis, and Dunns’ post hoc tests. The significance level was set to 0.05 (⁠|$\alpha = 0.05$|⁠). When there were only two groups to compare, a Mann–Whitney U test was computed. The Mann–Whitney U test compares the distributions of a continuous variable between two independent groups [63]. When significant, effect size were reported using Cliff’s delta (d) [64]. When comparing multiple groups, Kruskal–Wallis H tests were computed [65] and effect sizes were measured by calculating the epsilon squared (⁠|$\epsilon ^2$|⁠) [66]. Given significant results of a Kruskall–Wallis H test, Dunn’s post hoc test with Bonferroni correction were finally computed [67,68]. Precisely, Dunn’s test identifies which groups are driving the significant difference found in the Kruskal–Wallis H test by comparing the difference between all pairs of groups. Since Dunn’s test computed each pairwise comparison separately, a Bonferroni correction was used to adjust the P-value and thus reducing the chances of doing a Type 1 error. Finally, effect sizes for all significant post hoc tests were measured using the cliff’s delta (d) [64]. Also, when test results are presented, the median (⁠|$\tilde{x}$|⁠) for each type of crime events is reported.

Results

The results section below is organized into four subsections. First, we present CeFi and DeFi estimates, followed by the distribution of crime events according to the taxonomy we created. Next, we describe which layers in the technical stack are most affected by these crime events, followed by an assessment of their financial damages.

CeFi versus DeFi estimates

As explained in the section above, we identified that some crime events involved CeFi actors (⁠|$N=\text{{105}}$|⁠), like centralized cryptoasset exchanges (CEX) that allow the flexible trading of both fiat and CA through a centralized governance system [4]. This finding is interesting as it shows the size and scope of DeFi crimes in comparison to CeFi, Fig. 4 illustrates the non-negligible role of CeFi in terms of financial damages related to CA. In fact, fewer events involved a CeFi actor, but they accounted for almost twice the financial damages as events involving a DeFi actor. One possible explanation is that high-scale fraud events, like Ponzi schemes and embezzlement, were mostly observed in the CeFi scene. Indeed, Ponzi schemes amounted to $7.3B in stolen funds alone, and embezzlement schemes amounted to $1.1B in our dataset. However, it is important to note that the data collection process focused specifically on compiling a comprehensive dataset of DeFi crime events, rather than CeFi crime events. As a result, there are likely additional crime events targeting the CeFi industry that are not captured in this dataset. Consequently, these figures highlight the significantly higher financial losses in the CeFi sector compared to DeFi. Note that CeFi events are not included in further results and analyses, as the framework we developed is ultimately used to map events onto a DeFi-specific technical stack.

Introducing an evidenced-based taxonomy

The first objective of this study is to develop an evidence-based taxonomy to identify the tactics and strategies used to steal money, as well as how DeFi actors are involved in crime events. The evidence-based taxonomy created thus illustrates how money can be—and is—stolen in the DeFi sector through a hierarchical structure that can be categorized through four main dimensions: (1) implication of DeFi actors, (2) strategies, (3) general tactics, and (4) specific tactics.

To begin, Fig. 5 highlights the possible implications of DeFi actors in crime events. DeFi actors can be direct targets of theft by a malicious actor, or they can themselves be perpetrators. In the latter case, DeFi actors and malicious actors merge into one actor targeting users. The third implication is an intermediary and, in this case, DeFi actors are used as intermediaries to reach users. Each implication is further explained below, considering the related strategies, as well as general and specific tactics uncovered. All statistics below represent proportions taking into account the 1036 DeFi-specific crime events in the dataset. For concision purposes, definitions on specific tactics are presented in Appendix Table 5.

DeFi actor as target

Crime events in which DeFi actors were direct targets represented 52.1% of the dataset and could be regrouped under two overarching strategies: exploiting technical vulnerabilities (46.7%) and exploiting human risks (3.1%) (Note that in some technical vulnerability exploits, a third-party DeFi actor’s service (flash loans, oracles) could also be leveraged by malicious actors to better target the desired DeFi actor.). In some cases (2.3%), we could not determine which strategy was used. The distribution of the strategies, general tactics, and specific tactics are presented in Fig. 6.

Specifically, contract vulnerability exploits included all events that aimed at exploiting smart contracts for malicious purposes. On the other hand, hacked/exploited infrastructure referred to crime events in which malicious actors successfully gained access to or exploited DeFi actors’ ‘traditional’ infrastructures, such as servers or corporate emails. Another tactic was exploiting interconnected actors’ flaws, which referred to situations where DeFi actors’ interconnections created an opportunity for theft. Also, all crime events in which actors benefited from the way transactions were processed in the blockchain were classified as transaction attacks. Lastly, all crime events that exploited a vulnerability by taking advantage of consensus mechanism loopholes or governance systems were labelled as decentralization issues. The second strategy related to exploiting human weaknesses, limitations, errors, or trust. In the database, two general tactics were found: internal theft and external theft exploiting human factors. The first one referred to insiders committing profit-driven crimes by taking advantage of their strategic position in the DeFi actor’s organization to perform unauthorized operations for personal gains. The second referred to events created by an outsider that take advantage of humans, as opposed to technical features, to steal money.

Events for which we could not determine the strategy used were categorized as undetermined. This category should not be seen as different from the two previous ones, but rather as a category encompassing events for which it was unclear or undisclosed if the strategy was rooted in technical vulnerabilities or exploiting human factors.

DeFi actor as perpetrator

Instead of being targets, DeFi actors were, in 40.9% of the time, initiating the crime scheme. In this case, malicious actors and DeFi actors merged together, as the DeFi actor was not legitimate and aimed to directly steal users. This implication alluded to scams where a developer deliberately created and operated a DeFi project with the intent to steal its investors’ assets. We observed two strategies used by DeFi perpetrators to steal money: malicious use of smart contracts (36%) and market manipulation (4.9%), as shown in Fig. 7. The first strategy, malicious use of contracts, referred to developers maliciously interacting with the contract they created through different operations to generate personal profit at the expense of other investors. Note that while existing literature differentiates between ‘soft rug pulls’ that involve removing or selling assets and ‘hard rug pulls’ that leverage malicious code within the contract itself, we categorized all these specific tactics under the term ‘rug pull scam’. For one, regardless of the specific tactic employed, the underlying strategy is the malicious utilization of a contract. Additionally, when examining the transaction history of contracts, it became evident that specific tactics can be used in complementary ways. For example, contract deployers could enable a hidden mint function prior to selling their share of assets.

The second strategy, market manipulation, referred to crime events in which DeFi perpetrators employed deceptive tactics to influence users to invest money in a project. These manipulative strategies led to illusory profitable trading or investment opportunities, which enabled perpetrators to profit at the expense of deceived participants. The only general tactic identified was misappropriation of funds. While rug pulls also rely on influencing users to invest in their token, misappropriation of funds does not require subsequent operations or malicious coding. Again, the distribution of the strategies, general tactic and specific tactics are presented in Fig. 7.

DeFi actor as intermediary

The third implication was when DeFi actors were used to reach users (7%). In such situations, DeFi actors served as intermediaries between the attacker and the targets; for instance, they might be imitated in fraudulent phishing schemes. Although DeFi actors could also suffer from such an attack, the ultimate target of the attack remained the users. The only strategy uncovered was imitation, where a malicious actor impersonated DeFi actors online to defraud users. The sole general tactic was user deception as the goal was always to trick users into believing that the information provided through deception was valid. Also, note that the specific tactics, presented in Fig. 8, either used the DeFi actor’s compromised infrastructure or used a newly built infrastructure that resembled a legitimate DeFi actor’s one to reach users.

Note that the low prevalence of DeFi actors as intermediaries in this dataset contradicts other studies focusing on phishing attacks, which highlight that such attacks are prevalent due to their simplicity and numerous opportunities [27,42]. This discrepancy arises because this dataset relied entirely on events reported by aggregators, as explained earlier, which might lack visibility into fraudulent platforms and impersonation schemes. Many of these schemes might also go unreported in the news media, leading to limited online visibility. It is likely that the dataset created for this study under represents the prevalence of such crime events. Therefore, such events are excluded from our subsequent DeFi technical stack mapping and stolen amount analysis. Future studies could enrich our dataset by adding such crime events and further comparing the three categories.

Technical impact assessment

The second objective of this study is to determine which technical layers of the DeFi tech stack are most affected by crime events. Our analysis is based on the previously introduced Augmented DSR model (refer to Fig. 3). We mapped each crime event to the most specific and relevant layer affected, focusing on the categories DeFi actor as target and DeFi actor as perpetrator. Starting from the 1036 crime events in the dataset, we also excluded actors that did not operate in one of the predefined categories presented in Appendix Table 4. Out of the remaining crime events that had a defined actor’s category, we also removed all events categorized under DeFi actor as intermediary, as while these events used services from DeFi actors, they did not directly impact the actors themselves. Figure 9 illustrates the relative distribution of these 938 crime events across the technical layers and based on the implication of DeFi actors.

In the first scenario, titled DeFi actor as a target, we analysed a total of 516 crime events. Our analysis revealed that the majority of these attacks targeted the DeFi Protocols layer, constituting 54.46% of all events. The Cryptoassets layer was the next most targeted, accounting for 17.44%. The DeFi Compositions layer was comparatively less affected, experiencing 15.12% of the attacks. The Interfaces to other systems were the subject of 6.78% of the events, while the Distributed Ledger Technology layer represented 6.20%. Significantly, there were no documented attacks on the foundational System Infrastructure or the User Application layers. This is because we mapped the events according to the main area of operation of the DeFi actor involved, and no ‘area of operation’ is system infrastructure or user application, even if the event affected these layers. Indeed, these results denote which layers were attacked based on the category of the actor who bore the financial impact. Also layers external to the one corresponding to the actor’s category can be affected or exploited during an event. As depicted in Fig. 5, third-party DeFi actors might be instrumentalized for an attack. For instance, a DEX situated in the protocol layer could be targeted via oracle manipulation, inherently involving the interface layer.

In the second scenario, titled DeFi actor as perpetrator, we examined a total of 422 crime events. Our findings indicated that actions within the Cryptoassets layer, notably custom token contracts, were the primary methods used to target other users, representing an astonishing 72.75% of the events. Both the DeFi Protocols and Protocol Compositions layers were less frequently utilized, each comprising 18.01% and 8.29% of the events, respectively. The Interfaces to other systems and the foundational Distributed Ledger Technology had minimal involvement of 0.24% and 0.71%, thus both playing a rather subordinate role in this scenario.

Size and scope of financial damages

The third objective of this study is to quantify the financial damages associated with these crimes. For this section, the sample includes crime events mapped onto the technical stack that displayed a financial damage amount. To begin, Table 1 presents the sum of financial damages based on the position of actors in crime events, as well as the strategies used to steal money. As shown in Table 1, crime events targeting DeFi actors resulted in a loss of $7.7B, of which technical vulnerabilities accounted for $6.4B of damages and $980M to human risk. Note that 83% of all financial damages related to crime events directly targeted DeFi actors. On the other hand, crime events where the DeFi actor was the perpetrator led to losses of $1.6B (the resulting 17%). Within these, malicious use of contracts represented about half of the financial damages ($644M), and market manipulation constituted the other half ($905.6M). In total, from 2017 to 2022, crime events where DeFi actors were targeted resulted in greater financial damages than those where DeFi actors themselves were themselves perpetrators.

Examining the mean differences between these two categories presents an interesting narrative. Based on a Mann–Whitney U tests, crime events in which DeFi actors were targets (⁠|$\tilde{x}$| = $800 000) resulted in significantly higher financial damages (⁠|$\mathrm{ U} = 126\,874, P = .000, d = 0.446$|⁠) per crime event than those in which DeFi actors were perpetrators (⁠|$\tilde{x}$|= $88 736).

Figure 10 illustrates the distribution of financial damages based on the actors’ implication and their related strategies. To determine whether the visible differences in the figure were statistically significant, we conducted a series of tests. Firstly, the Kruskall–Wallis test, which compared financial damages based on the main strategies used in the crime event, was significant (⁠|$H=139.04, P=.000, \epsilon ^2=0.17$|⁠).

Post hoc test results suggested that exploiting human risks led to significantly more financial damages than all other strategies. Specifically, exploiting human risks (⁠|$\tilde{x}$| = $2 073 280) led to significantly more financial damages (⁠|$P=.000, d=0.78$|⁠) than malicious use of contracts (⁠|$\tilde{x}$| = $76 018), significantly more damages (⁠|$P=.027, d= 0.333$|⁠) than exploiting technical vulnerabilities (⁠|$\tilde{x}$| = $764 523) and significantly more damages (⁠|$P=.000, d= 0.638$|⁠) than market manipulation (⁠|$\tilde{x}$| = $159 136).

Post hoc test results also suggested that malicious use of contracts (⁠|$\tilde{x}$| = $76 018) led to fewer financial damages compared to exploiting human risks (as mentioned above) but also led to significantly fewer financial damages (⁠|$P=.000, d=0.45$|⁠) than exploiting technical vulnerabilities (⁠|$\tilde{x}$| = $744 000). The remaining tests were nonsignificant.

Table 2 presents how the financial damages were distributed in the tech stack. The DP layer faced the most financial damages with a total of $2.6B, followed by the INT layer with $2.5B of losses. Then, the CA layer faced $1.8B of damages, followed by the DLT layer with $1.5B and, finally, the DeFi composition (DC) layer with $925M. However, note that the number of events happening on each layer differs, as discussed above.

Figure 10 also shows the distribution of financial damages in the tech stack. Similarly to above, to assess whether the differences that can be seen in the figure are significant, we computed a series of statistical tests. The Kruskall–Wallis H test comparing financial damages according to where the crime event took place on the tech stack was also significant (⁠|$H=139.65, P=.000, \epsilon ^2=0.17$|⁠).

The results of the post hoc tests showed that crimes targeting the CA layers led to fewer financial damages than crimes targeting other layers. Indeed, with the post hoc tests, we found that crime events targeting the CA layer (⁠|$\tilde{x}$| = $83 960) led to significantly fewer damages (⁠|$P=.000, d= 0.34$|⁠) than crimes targeting the Protocol (P) layer (⁠|$\tilde{x}$| = $522 807), significantly fewer damages (⁠|$P=.000, d= 0.66$|⁠) than crimes targeting the Interface layer (⁠|$\tilde{x}$| = $800 000), significantly fewer damages (⁠|$P=.000, d= 0.62$|⁠) than crimes targeting the DC layer (⁠|$\tilde{x}$| = $1 300 000) and significantly fewer damages (⁠|$P=.000, d= 0.54$|⁠) than crimes targeting the Distributed Ledger Technology (DLT) layer (⁠|$\tilde{x}$| = $1,655,628).

Crimes targeting the DeFi protocol layer (DP) (⁠|$\tilde{x}$| = $522 807) led to significantly fewer financial damages (⁠|$P=.000, d= 0.27$|⁠) than crimes targeting the Interface (INT) layer (⁠|$\tilde{x}$| = $800 000) and significantly fewer damages (⁠|$P=.000, d= 0.21$|⁠) than crimes targeting the DC layer (⁠|$\tilde{x}$| = $1 300,000). The remaining tests were nonsignificant.

Discussion

Previous studies have developed various categorizations to better understand crime events, from considering DeFi technologies as a facilitating tool for cybercrime versus a target of attack [69] or differentiating between technical and market attacks [29,30]. To move beyond these general categorizations, this study presents an innovative view on illicit activities taking place in the DeFi sector by combining the implications of DeFi actors in the crime event as well as the strategies and tactics used by malicious actors. The developed taxonomy, combined with interpretations on how it plays on the Augmented DSR model [3], as well as estimates on the total recorded financial damages, provides a comprehensive, informative and unique portrayal of the DeFi crime landscape. We present below the key study’s takeaways, as well as how they are embedded with previous studies on the topic.

CeFi: important financial damages

While significant efforts are directed towards research that aim at improving and securing DeFi services, our study highlights that the CeFi industry play a dominant role in financial damages related to CA. Indeed, the findings highlights that the entire CA industry suffered, from 2017 to 2022, a minimum loss of $30 billion, with two-thirds relating to CeFi and one-third to DeFi. This finding is significant considering that the data collection focused on creating a comprehensive account of DeFi crime events, and while only 105 CeFi crime events were flagged during the collection, these events account for much more financial damages than the 1036 DeFi crime events This may be due to large-scale frauds such as Ponzi schemes that accounts for $7.3B and embezzlement schemes that account for $1.1B of all the recorded stolen amounts. Given these differences in scale, potentially, the decentralized features provided by the DeFi technologies may, in the end, better protect users against such large-scale frauds. The DeFi industry may, moreover, be smaller in scale than the CeFi one. In the end, considering that, these days, most CA trading occurs off-chain via centralized exchanges [70,71], subsequent studies should aim to further investigate the CeFi space, as these services might harbor greater vulnerabilities than anticipated.

Vulnerable DeFi actors as main target for profit-driven crime

The results highlighted that 52% of crime events directly targeted DeFi actors and that these events caused 83% ($7.7B out of $9.3B) of recorded financial damages in the DeFi sector. Moreover, crime events in which DeFi actors were targeted led to, on average, more financial damages than crime events in which DeFi actors were perpetrators. These results should not be underestimated: DeFi actors are the primary victims of crime taking place in the ecosystem. Similarly to our results, a private industry report [47] highlighted that the 10 most financially devastating attacks of 2020 were almost all carried out using price manipulation, manipulation of oracles, flash loans, and exploitation of vulnerabilities in smart contracts, which are all components of our technical vulnerability strategy. In our results, almost all attacks targeting DeFi actors leveraged a technical vulnerability, as opposed to a human risk. Moreover, note that a third of all crime events also pertained to vulnerabilities found in smart contracts. That DeFi projects are vulnerable and can be exploited is well-known [36]. The alarming proportions of smart contract exploitations was also mentioned in various studies [32,36,37]. One study also highlighted that inadequate authentication and authorization were major problems, as they were a frequent cause of vulnerability in smart contracts [14]. This is also reflected in our findings, as access control flaws were the most prevalent specific tactic related to contract exploitation. This suggests a need for better access control mechanisms in contracts.

Also, note that the second strategy related to DeFi actor as target, exploitation of human risks, yielded $980M in losses for 28 events. Hence, such strategy generates large financial losses per event. While human risks appear less prevalent in our dataset, it is also important to remember that 2.3% of the events have an undetermined strategy. It is possible that some of these events occurred because of a human risk (such as employee deception) that was not disclosed, or has yet to be uncovered. Moreover, the study does not account for mixed strategies: some crime events may have had a human component that was not taken into account. Indeed, various social engineering techniques can be used in tandem with the tactics displayed in the taxonomy to steal money from DeFi actors and users. Further studies could investigate how, and to what extent, the crime events displayed in the dataset had a human component, beyond the obvious ones that were categorized under the exploiting human risk strategy. In the end, the results suggest that DeFi actors should not solely focus on securing their smart contracts to mitigate external threats, but should also revisit and improve the precautions taken at the internal level.

DeFi actor as perpetrator: malicious uses of contracts and limited financial damages

On the other hand, in about 41% of crime events, DeFi actors were themselves perpetrators, but the financial damages amounted to only 17% ($1.6B out of $9.3B) of recorded financial damages. These results differ from other studies that reported higher instances and higher impacts of malicious DeFi projects  [48–51]. This may be because these other studies leveraged machine learning technologies to scan contracts and find malicious ones. However, a contract that may contain malicious code does not mean that such code was used. Also, what makes a contract malicious can sometimes be interpreted differently. For example, a liquidity function can be seen as a potential backdoor, but may also be considered a necessary function to control a token’s liquidity. Also, note that an industry report stated that users lost about USD 2.8B when rug pulls were at their peak in 2021 [47]. Such number largely differs from our findings of $1.6B. However, the report does not provide any information on the methods used to aggregate the data, and also includes CeFi actors in the analysis, considering smart contract rug pulls and CeFi exit scam both as rug pulls. Such finding stresses the need for scientific and rigorous research on the topic. In this study, we recorded known events in which users lost money following their investments in the DeFi sector. These crime events are smaller in scale, as the results show that crime events in which the DeFi actors were perpetrators yielded fewer financial damages than crime events in which DeFi actors were legitimate and, subsequently, targeted.

Also, the study’s findings highlight that malicious uses of contracts, the main strategy identified, yielded fewer financial damages than other strategies. This may be because tools and techniques have been developed to detect them as many academic studies have investigated the topic [48–51]. This is inspiring: there should be efforts to continuously develop such tools that identify contracts with functions that can be used for malicious purposes. Such tools should be disseminated to the general public. Still, if malicious activity is easily detected but not adequately reported, users are still at risk. This reinforces the relevance of developing mediums to efficiently broadcast such information to the community.

Also, note that market manipulation, the second strategy related to DeFi actors as perpetrator, yielded $905.6M in losses for only 49 events. Hence, the individual financial impact of such crime events is high. Similarly to above, these results therefore highlight that users should be careful in deciding what to invest in, as fraudulent investment projects can result in large losses.

Main impacted layers: DeFi protocol, CA, and interface layers

The results of this study also shed light on the most vulnerable layers of the tech stack, considering the actor’s implication in the crime events. In terms of prevalence, when actors are targeted, the most impacted DeFi tech stack layer is the DeFi protocols and when DeFi actors are perpetrators, the CA layer. The latter can be explained by the fact that our crime event dataset includes mostly rug pull scams. These crime events involved FTs, which are a specific type of CA. The impact on the DeFi protocols layer is also intuitive as this layer encompasses the core financial functions (e.g. token swaps, borrowing, lending, etc) offered by DeFi services. In DeFi-specific crime events, these financial functions thus represent natural targets. In terms of financial damages, DeFi protocols have faced most damages, with a total loss of $2.6B. The CA layer, on the other hand, faced $1.8B of losses. Hence, to mitigate victimization, it might be essential to emphasize the vulnerabilities of these two layers.

Our results also showed that the Interface layer faced high financial damages in a relatively small number of events (36): $2.5B. These results show partial similarities with [35]. These authors found that yield farming and bridges accounted for a large proportion of losses (44%) related to the studied DeFi incidents. However, note that previous studies investigating blockchain security [14,34,72] relied on a slightly different stack. In these studies, the smart contract and application layers are separated [14,34,72], while in our study, which builds on [3], smart contracts are inherent to the DLT application layer, which encompasses all applications like CA, DeFi protocols, and DCs. Such studies point out that the application layer, including programmable currencies and finance, and the smart contract layer, were the most involved in crime events. These findings are similar to ours as we find that most actors impacted by crime events operated mainly either at the DeFi protocol or the CA layer. Another study [35] leveraged a set of 181 crime events from similar sources to ours and observed that the smart contract layer (42%), protocol layer (40%), and auxiliary services layer (30%) were the most common causes of incidents. That the smart contract and the protocol layer are most targeted aligns with our findings. However, this study [35] shows a higher percentage at the auxiliary service layer (30%), compared to our study, which finds limited crime events at the Interface layer (7%). Such discrepancy could be explained by the authors’ decision to include CeFi businesses and wallets as auxiliary services on top of off-chain oracles and cross-chain bridges, while we discarded non-DeFi specific related events from our stack mapping. In addition, our mapping was based on the category of the involved DeFi actor rather than the cause of the incident, as oracle services can be utilized rather than targeted. It is also relevant to mention that while all these studies did not introduce a clear distinction between targeted DeFi actors and DeFi perpetrators, some do simultaneously include targeted and fraudulent DeFi projects in their studied crime events [14,34,35,72].

Limits and further research

This study is the first of its kind, providing a comprehensive overview of crimes targeting the DeFi industry. However, several limitations must be acknowledged. First, the crime event dataset developed in this study depends on external aggregators, which themselves rely on publicly reported events. As a result, numerous crime events may have occurred without public disclosure, or minor events may not have received enough attention to be captured by these aggregators. Additionally, the results likely underestimate crime events involving DeFi intermediaries, as these are often not recorded by aggregators. Such events frequently involve phishing activities targeting clients and are typically extensive in both size and scope [26,27,46]. Further research should build on the dataset created (which is available online) and include such types of crime events. Moreover, further research could focus on developing a comprehensive dataset of CeFi crime events.

The taxonomy created also focused on identifying the main strategy and tactic (both general and specific) behind each crime event. However, some crime events may involve multiple strategies and tactics. Further research could explore how strategies and tactics are used in conjunction with one another. Moreover, social engineering may be underestimated in this study, as in some cases, the use of social engineering techniques might remain undisclosed or could be uncovered later. Online news articles and aggregators tend to report events as early as possible to quickly inform the DeFi community, but thorough and time-consuming investigations are sometimes necessary to produce an accurate postmortem analysis. In fact, while most technical vulnerabilities and malicious transactions leave digital traces on the blockchain, this is not the case for vulnerabilities associated with human behavior. These may be more difficult to uncover quickly. Further research could focus on studying the use of social engineering as a primary tactic or as a secondary one in the crime events uncovered in this study. Additionally, our data was collected at a specific point in time, but the available information on crime events is dynamic. Therefore, it would be relevant to update the database regularly to observe, track, and account for changes across strategies and tactics.

Finally, the financial damages reported are dependent on the method used. In this study, we relied on aggregators and, subsequently, news sources. Further research could assess the accuracy of the reported amounts by conducting blockchain investigations. Additionally, given the large fluctuations in CA prices, there may be significant differences in the reported amounts. For example, in the case of the Ronin Bridge, some media reported a loss of $551M [73], while others reported $625M [74]. This discrepancy was due to a price peak in ETH shortly after the hack. This is one example of how price fluctuations complicate the estimation process. While this limitation is inevitable, we can only aim to minimize discrepancies as much as possible.

Conclusion

This study first highlights that the entire CA industry suffered, from 2017 to 2022, a minimum loss of $30 billion, with two-thirds relating to CeFi and one-third to DeFi. Focusing on the latter, this study examines crime events taking place in the DeFi sector by mapping their common tactics and strategies as well as the level of involvement for DeFi actors. This approach sheds light on victimized parties, whether DeFi actors or users. It also provides information on the most common methods taken by malicious actors to initiate such events, offering insights that can be leveraged to better secure the ecosystem. The dataset developed for this study is available online (https://zenodo.org/records/14047933) to support research reproducibility and further analysis.

Our findings have implications for DeFi stakeholders. Given that DeFi actors are primary targets of attacks, regulatory authorities, such as financial market authorities, should develop best practices in cybersecurity, encouraging measures like smart contract audits, cybersecurity training, and background checks for employees. These authorities could also consider fostering collaboration between traditional finance experts and DeFi platforms to develop standards that address technical vulnerabilities without stifling innovation. Since DeFi actors can also serve as intermediaries or perpetrators, regulatory authorities should enhance efforts to raise user awareness about the risks associated with investing in DeFi activities. This can be achieved through targeted educational campaigns and clear guidelines on identifying potential scams or fraudulent behavior. The results of this study can be used in such campaigns as estimates of the size and scope of predatory profit-driven crime in the DeFi industry. Finally, for end users and investors, our findings indicate that using DeFi services is risky and could result in a complete loss of invested funds. While attack vectors such as rug pulls may seem trivial, they are often difficult to detect, even for technically savvy users. Therefore, DeFi services should be approached with great caution.

Acknowledgements

We would like to thank Liuhuaying Yang for her work on the infographics and her patience working with us. We would also like to thank the administrators of De.Fi REKT, SlowMist, and Cryptosec for maintaining the crime event databases; and specifically, the admins of De.Fi REKT for answering our questions and providing us with a research API access.

Author contribution

Catherine Carpentier-Desjardins (Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Validation, Visualization, Writing – original draft, Writing – review & editing), Masarah Paquet-Clouston (Conceptualization, Formal analysis, Funding acquisition, Investigation, Methodology, Project administration, Resources, Supervision, Validation, Visualization, Writing – original draft, Writing – review & editing), Stefan Kitzler (Data curation, Formal analysis, Methodology, Validation, Visualization, Writing – original draft, Writing – review & editing), and Bernhard Haslhofer (Conceptualization, Formal analysis, Methodology, Resources, Supervision, Visualization, Writing – original draft, Writing – review & editing)

Conflict of interest

None declared.

Funding

This research was funded with an insight development grant from the Social Sciences and Humanities Research Council (SSHRC) (grant number 430-2022-00531) as well as the Human Centric Cybersecurity Partnership (HC2P). It was also partially funded by the Austrian security research program KIRAS of the Federal Ministry of Finance (BMF) under the project DeFiTrace (grant agreement number 905300), the FFG BRIDGE project AMALFI (grant agreement number 898883), and the COMET Centre ABC (Austrian Blockchain Center) managed by the FFG (grant agreement number 909237).

Appendix

Crime events statistics

General and specific tactics definitions

References